Telstra’s Interpol filter goes live

The nation’s largest telco Telstra tonight confirmed it had started filtering its customers’ Internet traffic for a blacklist of sites containing child pornography as compiled by international policing agency Interpol.

The move to switch on Telstra’s filter is the first known implementation of a voluntary filtering framework developed by the ISP industry’s peak representative body, the Internet Industry Association. Publicly unveiled just several days ago on Monday this week, the voluntary filter is expected to be adopted by most Australian Internet service providers this year.

Customers who visit one of the sites on Interpol’s list will be greeted by an Interpol ‘stop page’ which will explain that the content they have attempted to access is illegal, along with instructions as to how they can challenge Interpol’s ruling. Those who believe their web site has been inadvertently blocked by Interpol are able to ask for a review via the agency’s own website, or will be able to contact the Australian Federal Police, which Telstra has worked closely with on the filter’s implementation.

The Interpol list is believed to have been in use for a number of years, with telcos such as BT, O2 and Virgin having blocked addresses on it from reaching customers for some time. For a site to get onto the list, law enforcement agencies in at least two separate jurisdictions have to validate the entry as being illegal and not just potentially offensive. In addition, the age of children depicted through content on the sites must be younger than 13 years of age, or perceived to be less than 13.

Under the IIA’s scheme, ISPs who use the Interpol list to block access to child pornography would be doing so in accordance with “a legal request for assistance” under Australia’s existing Telecommunications Act (section 313). Because of this, and unlike the wider mandatory filtering scheme, the IIA believes that no new legislation will be required to implement the Interpol-focused framework.

The implementation of Telstra’s filter follows a whirlwind process over the past week, since the telco first revealed it was considering using the list generated by Interpol.

Last Saturday, Telstra revealed it was close to achieving executive sign-off for its internal filtering proposal, and the involvement of the Interpol list. Then on Monday, the IIA revealed Telstra’s proposal was part of a wider industry framework under development. Since that time, Optus has also confirmed its support for the framework, although other ISPs such as iiNet and Internode have yet to commit to implementing the scheme.

The limited filtering initiative is a stop-gap measure agreed to by ISPs and the Federal Government in mid-2010 while a review is carried out into the Refused Classification category of content which Government’s wider mandatory filter project is slated to block. The ISPs’ filter will only block sites with child pornography — instead of those with illlegal content in general.

The implementation of the more limited filter has not raised the same degree of public criticism which the Government’s more comprehensive Internet filter has attracted since the policy was first unveiled back in late 2007. In addition, the IIA has sought to distance its own policy from the Government’s approach, and hopes the widespread implementation of the filter aimed solely at child pornography will take some heat out of the debate about the wider filter initiative.

While the EFA has praised the world of Australia’s law enforcement authorities, and believes it is appropriate for the IIA to work together with them, it believes that it is better to adequately fund and equip those authorities to fight crime themselves rather than seeking to block material online.

59 COMMENTS

Just venting… the thing that is so wrong about this is it will be absolutely trivial to get around.

Just use hidemyass.com or proxify.com and it is circumvented, change your DNS serves and it is circumvented.

Hell, I hear a lot of people use OpenDNS instead of the Telstra DNS because how flaky Telstra’s can be. Conroy was lampooning the previous governments NetAlert PC filter because it took someone with administrator access to the computer 30mins to defeat. That is until they fixed the software a few days later.

Remember that the NetAlert filter program has be abandoned in favor of this?

Ask any parent what they would prefer to control over?
1/ Content they have never stumbled on and will never see, or
2/ Porn, violence or whatever it is they find offensive.

Conroy should know this was “cracked and hacked” before it even came through the portals., talk about scams

In fact many had post how to defeat this more than two years ago! Fully predicted how this would bypassed. Given the song and dance they made of 30mins, that was on a poorly configured PC, and rectified anyway, he should be ashamed.

Sadly, Telstra are my only option for ISP at the moment (every other application for ADSL returned no ports available accept Telstra).

I’ve just updated my modems DNS server settings to override what is assigned by Telstra and use Googles 8.8.8.8 DNS Server. Took me 30 seconds including modem restart and now all my devices at home, including my iPad are bypassing the Telstra Filters, which in principal I must do.

I bet it would take longer to have material added to the Interpol blacklist and propogate the changes to the ISPs than it would to contact the Hosting company/admin and alert them to the fact that their site is hosting Child Sexual Abuse material and have them remove it completely.

So not only does Interpol’s blacklist block entire domains (massive overblocking), it only takes 30 seconds to bypass the filters but by the time new material is blocked by the ISPs, if Interpol bothers to attempt to contact the web hosts of the offending sites, it will have already been removed from the Internet and that domain blocked forever (Interpol’s site claims domains are not removed from their list).

I’ve just updated my modems DNS server settings to override what is assigned by Telstra and use Googles 8.8.8.8 DNS Server. Took me 30 seconds including modem restart and now all my devices at home, including my iPad are bypassing the Telstra Filters, which in principal I must do.

umm, how exactly does that bypass the filter?

Sure you’re resolving DNS external to Telstra, but the connection to the IP still has to connect via Telstra’s network, so http can easily still be blocked.

Telstra is using DNS poisoning, don’t use Telstra’s DNS servers you have bypassed their “block”

Sure you’re resolving DNS external to Telstra, but the connection to the IP still has to connect via Telstra’s network, so http can easily still be blocked.

No, Telstra and the IIA are relying on a rather novel interpretation of the Telecommunications Intercept Act (TIA) as it is. This may be challenged and I wouldn’t be staking anything significant on the outcome if it was.

3. Whenever a Telstra customer goes to view any content from http://www.example.com the first thing that happens is their client looks up the IP address. As it is on the Interpol list Telstra’s DNS returns the poisoned IP address a.b.c.d instead of the correct one.

Hopefully you see that the ability of being able to block is entirely dependent on the client using Telstra’s DNS to resolve the IP. Don’t use the Telstra’s DNS and you will get the correct ip address of 1.2.3.4 and you are now considered a LEET hacker by supporters of the policy.

If Telstra did molest the IP traffic to 1.2.3.4 and perform “filtering” instead of DNS poisoning they would be in breach of the TIA as it would be considered an illegal intercept, to do that they need the same kind of warrants that the AFP need when tapping your phone or internet connection. Don’t have a warrant? Go straight to jail, do not pass go.

I forgot to add that this is the same reason you hear opponents talk about massive overblocking.

All content hosted on http://www.example.com will get redirected to the CP block page.
Every. Single. Webpage.

Before you say it isn’t an issue think about the dentist site that was on the ACMA blacklist. Someone had compromised their webserver and put some dodgy content on there to share amongst a small group of people. It was buried in the website so unless you knew the exact URL you wouldn’t find it.

This was brought to the ACMA’s attention, instead if telling the website owners their site was hacked they just added it to the blacklist. Under the IIA’s current policy the entire site would be blocked for every Telsra user that tried to visit it.

Would you let your child visit a dentist for treatment that had their website blocked for hosting child porn? Would you continue to use them? Would you confront them or just find a new dentist?

Guess what happened to the when the dentist finally found out their site was compromised? First thing they did was to remove the offending content. If the ACMA had have contacted them first the content would have been removed as soon as it was found. It shouldn’t take the leaking of the blacklist to get rid of the content.

Even if it was the only entire single site and not all sites on the virtual server, hackers would have a field day putting their services to hire so you could bring down you oppositions website by getting it blacklisted without them even knowing.

You’ve got to think the process of having your website removed from the Interpol blacklist and that removal filtering down to the ISP Level wouldn’t be a quick one.

It’s been bad enough in the past when I’ve had my domain added to a blacklist for spamming because of an infected computer on the network. It took 48 hours to have the blacklist removed from most lists and 2 full weeks before all the blacklists updated.

It was bad enough we couldn’t send out any emails to clients whose ISP used those blacklist on their email servers but if our entire site had been inaccessible things would have been much worse.

There are a lot of dangers and exploits that might be worth it if the child sexual abuse material was being removed from the Internet and not filtered and those responsible for the creation of the material were caught and prosecuted, but that’s not the case with the filtering. As we’ve shown, it can be bypassed on entire local area networks within a matter of 30 seconds…

All risk no reward other than possible future justification for Mandatory Government Controlled ISP Filtering.

No, they are poisoning individual DNS records, to keep it simple it’s the first part of the URL, so they will be able to discriminate at the domain/sub domain level only.

The DNS maps the sub/domain to the IP address, normally your client contacts your ISPs DNS and if it hadn’t looked up it up recently it goes the the internet to find the “authoritative” DNS that the webmaster has setup when they created the website once they know what their ip address will be.

In this example Telstra’s DNS server normally isn’t the authoritative server as someone is hosting the webserver, poisoning is essentially when the sysadmin tricks Telstra’s DNS and uses a locally programmed IP address for the record and doesn’t look it up from the authoritative DNS.

Also it is likely that all poisoned records will be pointed to the same IP address, the address of the block notification page.

The Interpol website below also states that if a blacklisted domain removes the child sexual abuse material that got it blacklisted but still contains illegal material as determined by the laws of one or more countries it will remain on the blacklist, so the blacklist almost certainly already contains domains that don’t host any child sexual abuse material at all.

“If found not to contain child sexual abuse material according to the “Worst of”-list criteria, but still illegal material according to national legislation in one or more countries, the material will remain inaccessible in those countries.”

So the Telstra filter is easily bypassed, blocks domains that don’t host any child sexual abuse material, and overblocks by blocking entire domains (according to the first line in the link above).

And here I was worrying about scope creep and overblocking happening in the future, not the instant it’s turned on…

Something you may not have noticed is that the content will only be unavailable to the countries it is illegal in. You seem to be implying that if, for example, pictures of surfboarding were illegal in all European countries, then they would be filtered in Australia. However, the quote you posted says that such pictures would only be banned in Europe, where they are illegal.

Basically that means Telstra will ‘Block’ (block is a horrible way to describe what they’re doing) only content that contains ‘Worst of-‘ CP and content that is illegal in Australia which is hosted on a server that has, in it’s past, been on the list for CP.

OK, so Telstra now blocks access to a domain list supplied by Interpol. So, ah, what’s the problem? Go out and argue with Interpol boys, they maintain the list. Can’t spend your whole lives panning agencies actions when you have so little visibility into what they do. The AFP and Interpol etc can only be amused that people out here seem to think they know more about what the AFP and Interpol do then the AFP and Interpol… You have no idea at all if there is massive overblocking, you are just assuming for the argument’s sake…

Because it is a secret list, neither you nor I really know what they are blocking. We know what they say they are blocking, and since they say they are blocking domains not URLs, this means that if they are doing what they say they are doing, they are overblocking, since a single domain may contain many websites apart from the offending one, and even that website may have only one offending page and many that do not.

This applies, even if you totally trust that the list is composed of what they say it is. Experience with similar regimes elsewhere in the world shows that this trust is almost certainly misplaced.

– does not stop a single piece of CP from being produced.
– does not protect a single child from being abused.
– does not serve to facilitate the rescue of a single child that is being abused.
– does not stop those who wish to obtain CP from doing so.

You do not solve the problem by (trying) to hide it. And this doesn’t even hide it from those who really want to get their hands on it.

Spend the time and resources hunting down the producers, and shutting these sites down. That’s a far more valuable exercise.

Im with Wyres. do permanent things to the supply end, by using the demand end to FIND the supply end. sweeping the lot under the rug so Mr.&Mrs. Q braindead dont have to watch their child(ren) online is yet another way to treat people like cattle. when not trying to teach our young stylised noises to associate with animals, do we moo, baa or bleat? no? then let us use our own brains and quit screwing with our legal choices. if its illegal, ill volunteer to help end production. if it is not, GTFO & STFU.

The filter isnt blocking these sites , which some people were telling me they would , and the speed hasnt dropped but improved something has sped it up and i done nothing any different to i normally do

Which sites exactly were you expecting to be blocked? The only filtered content is child pornography so either you need to be locked up, or you have a very poor information source, given it’s public knowledge that the voluntary filter would only be blocking the worst child pornography sites on the internet!

As for your speed increasing, you can also increase your internet speed by placing a piece of paper with the word FAST printed on it under your router. Give it a go. My ADSL2 download speeds tripled!

no i will never go to those sites they deserved to be blacked out , i just dont know why people are fused overt those sites being blocked and leaving an isp for it</cite?

I wouldn't and don't access or view CP content either. I will virtually guarantee everyone speaking out against this policy doesn't access it either. How? Why would anyone accessing illegal and exploitative content bring attention to themselves?

Thing is though, if you wanted to access the content you still can, in fact many of Telstra's (and the other ISPs) will be able to do so without having to do anything. Telsra's DNS are known for being flaky and troublesome and many customers will be using Google's DNS or OpenDNS or any other number of DNS.

Anyone working in a workplace with a competent SysAdmin may also be circumventing if they are running their own DNS. You can even run your own DNS at home as well.

Hopefully you can see that it is a useless policy, the only reason Telstra appears to be pursuing this is they know it is a very low impact approach (technically) and that it might appease the government and stop them moving forward with a more restrictive and draconian version.

Much as I hate CP and Conroy I am reluctantly accepting the “interpol solution”. It is less open to manipulation by any Australian Government so that is a winner. It might shut Conroy up so that would be a good thing. If, and I do mean if, it stops you getting to a legitimate website there are two benefits: 1) It tells you why (unlike Conroy’s BS proposal) and 2) it is relatively easy to circumvent. However as an overall strategy to fight CP it is utter rubbish and propaganda.

Let’s all turn a blind eye to the evil that is CP. Ahhh that’s better now isn’t it?

This filter and its idiotic supporters are reprehensible (note: I only grudgingly accept the interpol solution. I never support it. I simply accept it because Conroy’s alternative is too horrible to contemplate).

We already know the sort of sites that get blocked.
ISP level filters based on the Interpol list has blocked such evil sites as.
Wikipedia
Archive.org
for hosting child porn images like those that appear on record covers.

child protection laws in Australia are breached by hundreds of thousands of people,’every minute of the day. those Simpson porn images we’ve accidentally seen on google when you’ve browsed google images are enough to be in breach of federal law (and a fee states). yep that alone and browsing by accident is no excuse. a depiction, either in a story, drawn or photo, of a person under 18 is enough.

If accidentally browsing a site containing CP (or whatever) was enough for a conviction then popups would have sent the vast majority of us to jail years ago.

Hell I’ve wanted to numb my brain and read some /b/ and someone had posted a (fuzzed out over the main bits thankfully) CP pic, am I worried about getting a conviction? No, because there still has to be some form of intent involved.

Oh and Alan John McEwan had the pics on his computer, he didn’t just stumble on them via a google search.

Our Customer Terms require that customers do not breach laws when using their Telstra service. Consequently, steps made to block access to illegal content, such as the INTERPOL child abuse sites, do not constitute a change in the terms of our service.”

I think the last paragraph is interesting because it indicates that the scope of filtering could easily be widened without anyone even being aware.

Comments are closed.

Book now available

Written by Delimiter Publisher Renai LeMay, The Frustrated State is the first in-depth book examining of how Australia’s political sector is systematically mismanaging technological change and crushing hopes that our nation will ever take its rightful place globally as a digital powerhouse and home of innovation.

Welcome! We were an energetic and engaged community of Australians who worked with or who were interested in technology -- all sorts of IT professionals, IT managers, CIOs, tech policy-makers and tech enthusiasts.